[UPHPU] User Login suggestions
DavidSmith at byu.net
Thu Sep 2 14:54:28 MDT 2004
> On Thu, 2 Sep 2004 14:04:43 -0600 (MDT), David Smith <davidsmith at byu.net>
>> <quote who="Tierra">
>> > I could go on about RSA encryption, SSL, and others as I've coded up
>> > my own very secure login system.
>> Do share!
> You asked for it! (well, demanded, but it doesn't matter) =)
> If you don't have the funds or getting a _signed_ SSL certificate
> isn't worth the hassle, you can still sign your own certificates and
> still run the entire user session over encryption, only the user will
> be asked if your certificate is acceptable everytime they visit the
> site. If you don't want that message either, then your still not out
> send to the client to encrypt any data they will be sending back to
> the server (in my case, I encrypt the password, it's a little more
> cumbersome to encrypt all the POST data, and the HTTP request can
> still be seen since your not running through standard SSL anyway).
> That's done with the help of PHP and a MySQL table that keeps track of
> all keys sent to clients on their different IP addresses so it can
> decrypt the data when it's sent back (were still working with multiple
encrypt passwords on the client side without an SSL HTTP session for the
uug.byu.edu site. I couldn't find a solution, so I just settled for a less
secure setup with clear password transfer (and a little warning note). Did
or embedded in the script? How did your clients validate the authenticity
of the key? You've got my curiosity going now.
More information about the UPHPU